CVE-2025-66448

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-66448
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66448.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-66448
Aliases
Published
2025-12-01T22:45:42.566Z
Modified
2025-12-05T12:32:32.605800Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
vLLM vulnerable to remote code execution via transformers_utils/get_config
Details

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named NemotronNanoVLConfig. When vllm loads a model config that contains an automap entry, the config class resolves that mapping with getclassfromdynamicmodule(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the automap string. Crucially, this happens even when the caller explicitly sets trustremotecode=False in vllm.transformersutils.config.getconfig. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via automap to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66448.json"
}
References

Affected packages

Git / github.com/vllm-project/vllm

Affected ranges

Type
GIT
Repo
https://github.com/vllm-project/vllm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
439368496db48d8f992ba8c606a0c0b1eebbfa69

Affected versions

Other

submission

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.10.0
v0.10.0rc1
v0.10.0rc2
v0.10.1rc1
v0.10.2rc1
v0.10.2rc2
v0.11.0rc1
v0.11.1rc0
v0.11.1rc1
v0.11.1rc2
v0.11.1rc3
v0.11.1rc4
v0.11.1rc5
v0.11.1rc6
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.0.post1
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.0.post1
v0.5.1
v0.5.2
v0.5.3
v0.5.3.post1
v0.5.4
v0.5.5
v0.6.0
v0.6.1
v0.6.1.post1
v0.6.1.post2
v0.6.2
v0.6.3
v0.6.3.post1
v0.6.4
v0.6.4.post1
v0.6.5
v0.6.6
v0.6.6.post1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.8.0rc1
v0.8.0rc2
v0.8.1
v0.8.2
v0.8.3rc1
v0.8.4
v0.9.0
v0.9.1
v0.9.1rc1
v0.9.1rc2
v0.9.2rc1